Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1382 (accepted)

Opened 11 years ago

Last modified 8 years ago

Improve LDAP support

Reported by: jamoore Owned by: jamoore
Priority: critical Milestone: Unscheduled
Component: Deployment Keywords: n.a.
Cc: jay_copeland@…, stephen.ogg@…, FCORNELI@…, atarkowska, cxallan Story Points: n.a.
Sprint: n.a. Importance: n.a.
Total Remaining Time: 9.0d Estimated Remaining Time: n.a.

Change History (14)

comment:1 Changed 11 years ago by jmoore

  • Cc stephen.ogg at imb.a-star.edu.sg FCORNELI@… added; stephen.ogg at imb.a-star.edu.sg FCORNELI at its.jnj.com removed

comment:2 Changed 11 years ago by jmoore

  • Cc stephen.ogg@… added; stephen.ogg at imb.a-star.edu.sg removed

comment:3 Changed 11 years ago by jmoore

  • Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

comment:4 Changed 11 years ago by jmoore

  • Cc cxallan added
  • Description modified (diff)

The liferay integration uses the following parameters:

    ldap.auth.enabled=true
    ldap.auth.required=true

    ldap.users.dn=ou=People,dc=localdomain
    ldap.groups.dn=ou=Groups,dc=localdomain

    ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership
    ldap.user.impl=com.liferay.portal.security.ldap.LDAPUser

    ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember

    ldap.import.user.search.filter=(objectClass=inetOrgPerson)
    ldap.import.group.search.filter=(objectClass=groupOfUniqueNames)

    ldap.auth.search.filter=(mail=@email_address@)

comment:5 Changed 10 years ago by jmoore

(In [6550]) fix #2025 - Fixing ldap tests post-refactoring (see #1382)

With this commit, the basic reconfiguration of LDAP is finished.
Usability and performance improvements should be added to #1382

comment:6 Changed 10 years ago by jmoore

As a follow up on #2025, the new properties which we are currently testing are:

omero.ldap.user_filter=(objectClass=person)
omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
omero.ldap.group_filter=(objectClass=groupOfNames)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=default
#omero.ldap.new_user_group=:ou:
#omero.ldap.new_user_group=:attribute:memberOf
#omero.ldap.new_user_group=:query:(member=${dn})

The filters and mappings are as in the liferay documentation above. The "new_user_group" property is an experiment to allow for various styles of mapping:

  • no prefix implies use the static group named "${omero.ldap.new_user_group}"
  • the ":ou:" prefix means map the users last organizationl unit to a group name, "ou=IT,ou=division,o=college" would map to a group of "IT"
  • the ":attribute:" prefix means take the possibly multi-valued attribute defined and add the user to all groups
  • the ":query:" attribute is a query run under the group filter which has all the user mapping properties plus "${dn}" available to it, so that the above example looks for all groupOfNames with a member attribute with the dn as a value
  • a possible (unimplemented) prefix ":bean:" could allow for implementing one's own NewUserGroupMapper

comment:7 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:8 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:9 Changed 10 years ago by jmoore

(In [6916]) see #1382 - Ldap tests and NewUserGroupBean interface. See also #2029

This interface is only responsible for adding groups based on newly
created users. ome.security.auth.RoleProvider and PasswordProvider
are two other interfaces which are available. The three together may
be sufficient for #2029.

comment:10 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:11 Changed 10 years ago by cxallan

A single user filter such as:

...
omero.ldap.user_filter=(cn=jburel)
...

Does not allow users that match to login.

comment:12 Changed 9 years ago by jmoore

  • Description modified (diff)
  • Priority changed from major to critical

comment:13 Changed 8 years ago by jmoore

  • Description modified (diff)

comment:14 Changed 8 years ago by agilo

  • Status changed from new to accepted

Updated status, related task in progress

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.250006 sec.)

We're Hiring!